Vulnerability: No matter how hard you ofuscate or encrypt your code, never, under no circunstances, rely any security aspect on the client. Never!

How the plugin works: It generates a pseudo-random code both on the client and the server to generate a key. On form submit, both key values are checked and they should match to allow comment insertion.

How the exploit works: It does nothing but acting as a client. It parses the html, extracts the javascript, process it to calculate the key and fills the hidden field with it.